Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Shell Script

Recovering a Recently opended deleted files

December 7, 2017 Leave a Comment

rajeshkumar created the topic: Recovering a Recently opended deleted files
Recovering a Recently opended deleted files
By using lsof, you can recover a deleted file that was opened already. This comes very handy when attacker gain access to the systems and has executed commands or has done some configuration changes, and then removes the log file(s) to erase evidence. A sysadmin can use this method to recover the filles which has been opened by some processess to check what all the hacker has changed.

The lsof – list open file is the command used for this:

lsof | grep “syslog” (List processess which has this file opened)

rsyslog 998 root 1w REG 8,3 141400 1237857 /var/log/syslog

Here the process 990 (PID) has opened the file ‘/var/log/syslog’ with the descriptor a ‘1’(1W).

To recover the content of the file, just run the following commands…

cat /proc/990/fd/1 > syslog.safe

you will have the content of the file stored in syslog.safe
Regards,
Rajesh Kumar
Twitt me @ twitter.com/RajeshKumarIn

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x